Re: 8.3 GSS Issues

On Fri, Oct 19, 2007 at 04:51:04PM -0700, Henry B. Hotz wrote:
> I know I haven't been very active for a while here, but I just got to
> testing the October 3 version a bit prior to getting back to the Java
> GSS client stuff I promised. There seem to be some funny things there.

Apologies for not responding to this one sooner.

BTW, what's the status on the Java stuff? Will it be around by the time 8.3
is released?

> The only serious issue is that the server doesn't require the realm
> name to match. I haven't looked at how that broke yet, but I know I
> was careful of that point in my original patches because it's always
> been wrong in the Kerberos 5 auth method.

I honestly don't remember exactly how that became. I think I stripped it
out in order to make it work like the krb5 method.

What you're asking for is basically a krb_match_realm parameter, or do I
understand you wrong?

> It appears that you can just put a complete (realm-included) name
> into postgres, so that's obviously the way to support gssapi
> connections from non-default realms.
>
> In short this is a security hole. IMO it should be fixed prior to
> release.

Can't you also configure the kerberos libraries on your machine not to
accept other realms than your own? IIRC, that was something considered at
the time, but I can't find a reference to such a discussion.

> ---------
>
> I notice there are hba options for gss and sspi both. Why?
>
> Is there some windows-only functionality it enables? Shouldn't we be
> using Microsoft's advertised GSSAPI/SSPI compatibility? If you build
> on Windows then I'm sure you want to link the SSPI libraries rather
> than require installation of a separate package, but that shouldn't
> change the functionality or the wire protocol AFAIK. In other words
> I would expect this to be a build-time option.

There was discussion about this, and we were presented with clear cases
where you'd want to be able to do either one. Making it a build option
doesn't help the 99.9% of Windows users that use a pre-packaged binary
distribution.

> ---------
>
> At the risk of diluting my message: I still think it's a mistake to
> call it gss instead of something like gss-noprot. I believe this
> will cause misunderstandings in the future when we get the security
> layer of gssapi implemented.

Well, I don't agree with this, but if others want it changed, it can
certainly be changed. And it can only be changed *now*, and not once we
release.

But we have "host" and "hostssl", not "hostnossl" and "host". So the way we
are donig it now is IMO more consistent with what we have in other parts of pg.

> ---------
>
> There's no way to specify the gssapi library to use. I have three on
> my main development Sun: MIT, Sun, and Heimdal. I might have more
> than one version of one of those three at some times. Of course
> there's no way to specify which kerberos 5 library or openssl library
> you want either, so consider this a feature request for future
> development.

Yeah, that's something that can be done for 8.4, certainly not something we
can put in now. But I'll be happy to see a patch once we open the tree for
8.4 :-)

//Magnus